Page 24 - ARUBA TODAY

P. 24

A24 TECHNOLOGY
Monday 21 May 2018

Phone data-leak company: No record of location-data abuse

By FRANK BAJAK would display the phone's
Associated Press location — generally to
A California company within several hundred
confirmed that a flaw in its yards.
website allowed outsiders But Xiao found a flaw that
to pinpoint the location of allowed him to bypass
mobile phones in the Unit- consent in just 15 minutes.
ed States without authori- "It would not take anyone
zation. with sufficient technical
But LocationSmart, which knowledge much time to
gathers real-time data on find this," he said.
cellular wireless devices, He wrote a script to exploit
says it has no evidence it.
that anyone exploited the Xiao's research indicated
vulnerability before May 16, that LocationSmart had of-
when a security researcher fered the service since at
at Carnegie Mellon discov- least January 2017.
ered it. LocationSmart touts itself
Brenda Schafer, a Loca- as the "world's largest loca-
tionSmart vice president, tion-as-service company."
said via email Friday that It says it obtains location
the company is still seeking In this June 6, 2017, file photo, a man checks his phone in an alley in downtown Chicago. information from all major
to verify that no location Associated Press U.S. and Canadian wireless
data was accessed with- companies, with 95 per-
out individual subscribers' LocationSmart operates in nologies provided location tracked your child's cell- cent coverage.
consent. She did not re- a little-known business sec- data on mobile customers phone to know when they Verizon spokesman Rich
spond to questions about tor that provides data to to a former Missouri sheriff were alone," he said in a Young said the company
LocationSmart's business companies for such uses accused of using the data statement. has taken steps to ensure
practices or how long the as tracking employees and to track people without a A spokeswoman for the that Securus can no lon-
flaw had existed. texting e-coupons to cus- court order. On Wednes- Federal Communications ger request information
Privacy advocates say the tomers near relevant stores. day, Motherboard report- Commission said the Loca- on the company's wire-
case is the latest to under- Among the customers Lo- ed that Securus' servers tionSmart case had been less customers and that it
score how easily wireless cationSmart identifies on its had been breached by a referred to the agency's was reviewing its relation-
carriers can share or sell website are the American hacker who stole user data enforcement bureau for in- ship with LocationSmart. T-
consumers' geolocation in- Automobile Association, that mostly belonged to vestigation. Mobile likewise said it has
formation without their con- FedEx and the insurance law enforcement officials. LocationSmart took the "addressed issues that were
sent. The LocationSmart carrier Allstate. Securus may have ob- flawed webpage of- identified with Securus and
flaw was first reported by The New York Times report- tained its location data indi- fline Thursday, a day after LocationSmart."
independent journalist Bri- ed earlier this month that a rectly from LocationSmart. Carnegie Mellon University Representatives for AT&T
an Krebs. firm called Securus Tech- Securus officials told the computer science student and Sprint said they don't
office of Sen. Ron Wyden, Robert Xiao discovered the allow sharing of location in-
an Oregon Democrat, that software bug and notified formation without individu-
they obtained the data the company, Xiao told al consent or a lawful order
from a company called The Associated Press. such as a warrant.
3Cinterative, said Wyden The bug "allowed anyone, Gigi Sohn, a former top
spokesman Keith Chu. Lo- anywhere in the world, to aide at the FCC during the
cationSmart lists 3Cinterac- look up the location of a Obama administration,
tive among its customers U.S. cellphone," said Xiao, said user location data has
on its website. a doctoral researcher. "I been at high risk since last
Wyden said the Loca- could punch in any 10-digit year. That's when Congress
tionSmart and Securus cas- phone number," he added, repealed FCC privacy rules
es underscore the "limitless "and I could get anyone's barring mobile wireless car-
dangers" Americans face location." riers from sharing or selling it
due to the absence of fed- The web page was de- without customers' express
eral regulation on geoloca- signed to let visitors test out "opt-in" consent.
tion data. LocationSmart's service by "At a bare minimum, con-
"A hacker could have used entering their cellphone sumers should be able to
this site to know when you number. The service would choose whether a com-
were in your house so they then ring their phone or pany like LocationSmart
would know when to rob send a text message to ob- should have access to this
it. A predator could have tain consent, after which it data at all," she said.q

19 20 21 22 23 24 25 26 27 28 29